Security & trust

Your data, guarded like it’s ours.

Orders, costs, customer lists — crown-jewel data. We treat it that way. Here’s exactly how the platform is built, what we do, and who you can email when you have questions.

See how it works security@hmtgroup.com
Encryption
AES-256 / TLS 1.3
Identity
MFA · SSO-ready
Monitoring
Real-time + audit logs
Backups
Point-in-time, 30 days
Tenant isolation
Every request, every query
Your data
Exportable, always
How it’s built

Six practices. No exceptions.

No buzzword parade. These are the specific things we do — the same answers we’d give your IT team on a call.

Encryption at every layer

AES-256 at rest in our managed Postgres database. TLS 1.3 for every HTTP request. Secrets rotated on staff changes and never checked into source control.

Identity you can trust

We don't roll our own auth. A best-in-class identity provider handles password storage, MFA, session management, Google & Microsoft SSO on Growth, and full SAML + SCIM on Enterprise.

Observability, not opacity

Every error is captured with PII scrubbing. Full request logs retained 30 days. Every production change is tied to a commit, a pull request, and a reviewer.

Small, modern, boring stack

We pick well-known, well-audited infrastructure over anything exotic. Fewer moving parts means fewer places for things to go wrong — and a smaller surface area for attackers.

Backups & recovery

Point-in-time recovery for 30 days. Daily snapshots retained 90 days. We test restores quarterly. RPO: 5 minutes. RTO: under 4 hours.

Your data, your export

CSV export from every table. Full JSON API on Growth and Enterprise. If you want to leave, you leave with everything. We'll help you migrate — no hostage-keeping.

How we operate

The questions IT always asks.

Answered once, here, in plain English.

Who can access production
A small, named group of on-call engineers. Every session is logged and reviewed.
Change management
Every production deploy ships from a merged PR with at least one reviewer. No direct pushes, ever.
Dependency hygiene
Automated dependency scanning on every commit. High/critical CVEs block merges.
Incident response
Security reports go to a channel the founders live in. Median acknowledgment: under an hour during US business hours.
Data deletion
Account deletion purges your data within 30 days. Backups expire after 90. Confirmation email when complete.
Subprocessors
Full subprocessor list with purpose + region available on request under NDA.
AI and your data
Your business data is never used to train AI models. AI calls are per-tenant, scoped to your workspace, logged.
Pen testing
Annual third-party penetration test. Summary report available under NDA for Growth and Enterprise.
Who runs it

Built and run by HMT Corp.

Business Commander is built by HMT Corp — a software company focused on mid-market manufacturing. Every layer, from the Claude-powered automation to the production database, runs on enterprise-grade infrastructure with the same posture our customers use.

Security reports, questions, and disclosure requests go to security@hmtgroup.com — responses typically within an hour during US business hours.

Stack — what runs your data
HostingUS-region cloud, SOC 2-audited
DatabaseManaged Postgres, US region
IdentityEnterprise identity provider
BillingPCI-compliant processor
MonitoringReal-time error + log platform
AIEnterprise LLM with no-train guarantee
Enterprise-grade infrastructure providers. We inherit their uptime, their DDoS protection, their physical security — and layer our application on top.

Questions we didn’t answer here?

Ask anything. Plain-English answer from a founder within hours.